Posted
by
timothy
on Sunday April 03, 2011 @08:34AM
from the start-thinking-of-random-things dept.

An anonymous reader writes "Scientists at Max-Planck-Institute for Physics of Complex Systems in Dresden, Germany have developed a novel method to improve password security. A strong long password is split in two parts. The first part is memorized by a human. The second part is stored as a CAPTCHA-like image of a chaotic lattice system."

No, from the article i got the idea was:1. Split password into 2 pieces, a normal password and a captcha part2. Now if you bruteforce, you could miss on the second part, meaning bruteforcing will just take a bit more timeMeaning that "standard bruteforce" is still valid.

If I write an 8 character password with the keys I can see on my keyboard at the moment, you get - 6,095,689,385,410,816 permutations.

Using my 'very quick' calculations which are more than probably not very accurate- if using a 3.5 GHz processor which can hash and check each password in a single cycle (which is a very funny proposition indeed) - it'll take you 20 days. If the system upgrades to a 9 character password

If your password is to a system that is worth the effort, then it's likely going to lock out after 3 tries.. I realize you are speaking generically, but unless you can subvert that feature, you can't try more than N times without invalidating the account..

How do you unlock it? Second password, probably. Also, many, many secure systems don't lock you out because it's a pain in the ass to get it unlocked. If you want to mess someone up and can't guess their password then lock their account up.

Standard bruteforce has always been generally valid, though there are cases where it doesn't work as well such as account lockout and those places where logs are watched carefully.

If the password database can be retrieved, it generally works better, though a bit of salting helps to address that. Distributed computing solutions for rainbow tables help cut down the time needed to break these, and I imagine that places like the NSA devote both dedicated and spare cycles to building up their own rainbow tables

Captcha image is encoded using the user's password. To brute force you'd either need to check the captcha images for each password combination or brute force the whole string (password+captcha) which is twice as long so will take an order of magnitude longer.

There are plenty of other key stretching techniques so not sure why this is any better tho.

There are plenty of other key stretching techniques so not sure why this is any better tho.

You can only see the CAPTCHA text when you enter the correct password, a wrong password will just lead to random noise. Their claim is now that the presence of the CAPTCHA text cannot be detected by algorithms because to an algorithm, the picture will basically look the same in both cases.

I don't buy this. They study a system close to a continuous phase transition, meaning that it is self-similar, and there is no singular length-scale that shows up in any correlation function. By introducing the CAPTCHA tex

If you read our paper you will see that for an incorrect password you will still be in a vicinity of the correct initial condition. The Lyapunov exponents will get this difference multiplied, but the picture for the final evolution will still be very similar nomatter whether the password is correct or not correct.

Sorry, but I still don't understand why your approach is different from a key stretching function. I suppose the result of the time evolution should be quite different as one will reveal the CAPTCHA text and one will not. But as I said, there will be signatures of the presence of the text in the correlations functions, from which you can deduce that you guessed the correct password.

A bot can't keep a list of checked passwords, because it's impossible to tell whether the password failed because of the static part or the part which is changing with every attempt (the captcha). Therefore there's no guarantee that your bruteforce will succeed in a certain time, that is after a certain number of attempts.

Not only does this not look to me like a particularly professional reporting site, if you follow the link on the page 'Which authors of this paper are endorsers?' you get the following;-

"No authors of 1103.6219 can endorse.The weak password problem: chaos, criticality, and encrypted p-CAPTCHAsTetyana Laptyeva V.: Is registered as an author of this paper.Not currently an endorser.S. Flach and K. Kladko are not registered as owners of this paper"

Perhaps analyze this idea for its own worth rather than look for silly reasons to discard it? How about that it relies on generating a secure password already, which would be hard for people to memorize, how the blind couldn't use it, or how it's really just the combination of two already common ideas?

I think the concept is fairly straightforward, though: If you make it hard for a computer to determine the difference between the plaintext and garbage, it will be hard to brute-force decrypt. In theory, by making the plaintext into a captcha the computer will no longer be able to tell when it has successfully decrypted the image, so (again in theory) after every password attempt a human will have to read the "decrypted" image to see if it is correct or not, so a brute force attack would (in theory) take

then your "solution" will be to suggest the use of a private key, which is nothing more than a lengthy password that's often stored in a file that can be easily stolen.

Except that if someone steals the USB dongle on my keychain, I'm likely to notice.

Sure, it's possible that there's malware on the computer copying all of my keys as I speak, but the same could be said for the keylogger copying all my passwords, so its pretty easy to establish that public/private keypairs are more secure than just plain passwo

Well, if you actually read the paper, you'd have answers to those questions.

What they are proposing is a method that uses CAPTCHA-like systems to make the automating brute-forcing of the password much more difficult (but, since it's a CAPTCHA, it's still easy for a human to handle). The idea is that then you don't need the human to memorize as strong of a password: you can get the same level of security with weaker passwords. This won't let people use trivial passwords, but would allow you to greatly decrea

The real solution is to let the user have their dumb password that is easy to remember, but require them to also scan some biometric like their fingerprint or iris. This way, the only way that they can be compromised is by an attacker having access to both some physical characteristic in combination with their easy-to-guess password.

There are 3 basic ways a person can identify themselves:1. What you know - like a password2. What you have - like a keycard, or a one time password generator3. What you are - biometrics

The advantage of 1 is that it can only be stolen when being used.The advantage of 2 is that it can't be easily copied without removing it from the person.The advantage of 3 is that it can't be stolen, but can be copied without being used.

I've seen places like air ports that use all 3. Swipe your card, punch in the pin, and sc

Of course, that whole massive procedure around three-factor authentication goes to hell when the first guy holds the door open for the two people standing behind him. The biggest issue always has and will likely always be social - the person walking around in a jumpsuit with a toolbelt will, in almost all locations, be assumed to be on the maintenance staff and will go completely unquestioned as he attaches mystery devices to the network wiring. Basically, the sooner that we're taken over by the machines,

Heres an extra layer of security for your password.You take another post it note and stick it to your monitor over the top of the one with your password on. To access your password just lift up the top sticky note.

So if someone steals the password list off a server and wants to steal the admin passwords, all he has to do is to read the captcha himself, work it out (being a human and all that), then try to break the hash by adding the 'captcha answer' to the end of the string.

Sure it might make it harder for someone to try to steal passwords from a large list, but if you're only targetting admin (or specific ones) it'll actually make things less secure. You tell people they only need to remember half the password and

It causes "ePDFViewer" (the random PDF viewer firefox and/or linux decided to bring as default option when opening such link in firefox) to hang for a minute and use 100% CPU whenever scrolling or zooming.

as long as I am not able to select my own login AND password.I have a multitude of different logins that were given to me and that I can not change. I have been given a multitude of passwords that I am unable to change, because I am not the only one to use that specific login.

Also have more then one security key.

Oh and I need to change some of them each month. I could easily remember a 32 character password. But not if I need to change it every month AND if I need to remember anywhere between 10-30 AND need to know what login it belongs to AND some can't be that long.

So sure, you can blame the human. However that IS a factor that will not go away. And as long as logins and password are basically a "Hey, I tried to protect the data, so I am safe"-thing for IT people, nothing will change.

To often I see people that are resposible for the security try to find a technological solution for the social problem. Security is not a technical issue. It is a social process.

Got a different password for each of my email accounts, which are different from my social networking sites, which are different from my WoW account.

Plus all my sites are under different email accounts, a separate email account for each site.

Only place I got a concern is fucktarded blizzard which requires you to use your email address as an account name, and the same email address and password on the game, the battlenet account management and on the forums.

to improve password security and not to make a fail safe method. In a way that users can still create passwords like "123456" (they allways will, if they are allowed to), but by adding the captcha they will be harder to crack.

The second component is transformed into a CAPTCHA image and then protected using evolution of a two-dimensional dynamical system close to a phase transition, in such a way that standard brute-force attacks become ineffective.

You don't need a bunch of mumbo jumbo to make a brute force attack ineffective, all you need to do is lock the account after x failed login attempts.

I found the method used by an old phone (don't remember brand and model) effective. If you enter incorrect password for the first time, it make you wait 10 seconds before you can try again. A second time, wait 20 seconds, third time, 40 seconds, 4th time, that 80 seconds for you, and it keeps going like that. It gives the real owner of the phone a chance to get it right, but if you brute force, the wait time goes up quickly

Different systems have different parameters. One required 5-8 characters, including 1 number and 1 capital letter. I ran into one that had to be exactly 6 characters, but no other restrictions. One had a requirement of a 'special' character, i.e. $ * # ! ) etc. I understand the restrictions, somewhat, but my passwords tend to be 10-15 characters long with numbers but no special characters. Sometimes a capital letter or 2.

Instead of creating new schemes, just let me use this-"ijustgotanewpuppyandiname

...is that the whole password cannot be decrypted in an automated way, because even though a computer program would quickly guess the short password (SP), the fact that the strong key (SK) is stored as a CAPTCHA prevents the computer program from obtaining it, even with the correct SP.

The point is not (as some seem to believe) to help the user memorize a longer password by storing part of it for him. This approach actually wouldn't introduce any added security, as you still have a single point of failure (t

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

The password for nvidia-latest.crpt [google.com] is "foo". Please decipher the captcha. It turns out your demo, along with turning less than 1K of shell script into 400K of encrypted file, also wiped the original. I've tried q, w, u, n, j, jv for the last letter(s). I figure you need the annoyance a lot more than I do.

Sorry, but I don't understand how this could possibly be any better than combining existing password and CAPTCHA systems, which I am fairly certain has been done before. If the CAPTCHA and password didn't have a link between them it would likely be more secure. Their system only provides some benefit until someone leaks the algorithm for generating the CAPTCHA.

But they fail to realize that the private key is nothing more than a lengthy password

You don't quite understand how PKI works, do you?

and is in fact more susceptible to being stolen than a human-entered password is.

Uh, no, it's not, because a private key stays in one place - you computer - while the password is sent to each server, and you have to trust them to secure it properly. Which, as we have seen with Gawker, won't happen.

I think that is what he is pointing out. A regular password is stored in your brain. A private key is stored someplace on your computer and the computer itself could be stolen, or the data could be copied (border security Gestapo is an example). I also remember some articles about freezing active memory to retrieve stored keys in memory on systems that are secured (locked) but still running.

Of course it is not as simple as that and there is more to consider. Just pointing out that is what I think he mean